1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- Stuff for xincludes -->
6 <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
9 <!-- entities files to use -->
10 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
15 <chapter id="Big500users">
16 <title>The 500-User Office</title>
19 The Samba-3 networking you explored in the previous chapter covers the finer points of
20 configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
21 implementation of a simple configuration of the services that are important adjuncts
22 to successful deployment of Samba.
26 An analysis of the history of postings to the Samba mailing list easily demonstrates
27 that the two most prevalent Samba problem areas are:
32 Defective resolution of a NetBIOS name to its IP address
42 The next chapter deals with more complex printing configurations. The exercises
43 so far in this book have focused on implementation of the simplest printing processes
44 involving no print job processing intelligence. In this chapter, you maintain
45 that same approach to printing, but in the following chapter, there is an opportunity
46 to make printing more complex for the administrator while making it easier for the user.
50 <primary>WINS server</primary>
51 </indexterm><indexterm>
52 <primary>tdbsam</primary>
53 </indexterm><indexterm>
54 <primary>passdb backend</primary>
56 The previous chapter demonstrates operation of a DHCP server and a DNS server,
57 as well as a central WINS server. You validated the operation of these services and
58 saw an effective implementation of a Samba Domain Controller using the
59 <parameter>tdbsam</parameter> passdb backend.
63 The objective of this chapter is to introduce more complex techniques that can be used to
64 improve manageability of Samba as networking needs grow. In this chapter, you implement
65 a distributed DHCP server environment, a distributed DNS server arrangement, a centralized
66 WINS server, and a centralized Samba Domain Controller.
70 A note of caution is important regarding the Samba configuration that is used in this
71 chapter. The use of a single Domain Controller on a routed, multi-segment network is
72 a poor design choice that leads to potential network user complaints. As stated
73 in the paragraph above, the objective in this chapter is to demonstrate some successful
74 techniques in deployment and configuration management. This should be viewed as a
75 foundation chapter for complex Samba deployments.
79 As you master the techniques presented here, you may find much better methods to
80 improve network management and control while reducing human resource overheads.
81 You should take the opportunity to innovate and expand on the methods presented
82 here and explore them to the fullest.
86 <title>Introduction</title>
89 Business continues to go well for Abmas. Mr. Meany is driving your success and the
90 network continues to grow thanks to the hard work Christine has done. You recently
91 hired Stanley Soroka as Manager of Information Systems. Christine recommended Stan
92 to the role. She told you Stan is so good at handling Samba that he can make a cast
93 iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You
94 need skills like his. Christine and Stan get along just fine. Let's see what
95 you can get out of this pair as they plot the next generation networks.
99 Ten months ago Abmas closed an acquisition of a property insurance business. The
100 founder lost interest in the business and decided to sell it to Mr. Meany.
101 Because they were former university classmates, the purchase was concluded with mutual assent. The
102 acquired business is located at the other end of town in much larger facilities.
103 The old Abmas building has become too small. Located on the same campus as the
104 newly acquired business are two empty buildings that are ideal to provide
105 Abmas with opportunity for growth.
109 Abmas has now completed the purchase of the two empty buildings and you are
110 to install a new network and relocate staff in nicely furnished new facilities.
111 The new network is to be used to fully integrate company operations. You have
112 decided to locate the new network operations control center in the larger building
113 in which the insurance group is located to take advantage of an ideal floor space
114 and to allow Stan and Christine to fully stage the new network and test it before
115 it is rolled out. Your strategy is to complete the new network so that it
116 is ready for operation when the old office moves into the new premises.
120 <title>Assignment Tasks</title>
123 The acquired business had 280 network users. The old Abmas building housed
124 220 network users in unbelievably cramped conditions. The network that
125 initially served 130 users now handles 220 users quite well.
129 The two businesses will be fully merged to create a single campus company.
130 The Property Insurance Group (PIG) houses 300 employees, the new Accounting
131 Services Group (ASG) will be in a small building (BLDG1) that houses 50
132 employees, and the Financial Services Group (FSG) will be housed in a large
133 building that has capacity for growth (BLDG2). Building 2 houses 150 network
138 You have decided to connect the building using fiber optic links between new
139 routers. As a backup, the buildings are interconnected using line-of-sight
140 high-speed infrared facilities. The infrared connection provides a
141 secondary route to be used during periods of high demand for network
146 The Internet gateway is upgraded to 15 Megabit/sec service. Your ISP
147 provides on your premises a fully managed Cisco PIX firewall. You no longer need
148 to worry about firewall facilities on your network.
152 Stanley Soroka and Christine have purchased new server hardware. Christine wants to
153 roll out a network that has whistles and bells. Stan wants to start off with
154 a simple to manage, not-too-complex network. He is of the opinion that network
155 users need to be gradually introduced to new features and capabilities and not
156 rushed into an environment that may cause disorientation and loss of productivity.
160 Your intrepid network team has decided to implement a network configuration
161 that closely mirrors the successful system you installed in the old Abmas building.
162 The new network infrastructure is owned by Abmas, but all desktop systems
163 are being procured through a new out-source services and leasing company. Under
164 the terms of a deal with Mr. M. Proper (CEO), DirectPointe Inc., provides
165 all desktop systems and includes full level-one Help desk support for
166 a flat per-machine monthly fee. The deal allows you to add workstations on demand.
167 This frees Stan and Christine to deal with deeper issues as they emerge and
168 permits Stan to work on creating new future value-added services.
172 DirectPointe Inc. receives from you a new standard desktop configuration
173 every four months. They automatically roll that out to each desktop system.
174 You must keep DirectPointe informed of all changes.
178 <primary>PDC</primary>
180 The new network has a single Samba Domain Controller (PDC) located in the
181 Network Operation Center (NOC). Buildings 1 and 2 each have a local server
182 for local application servicing. It is a Domain Member. The new system
183 uses the <parameter>tdbsam</parameter> passdb backend.
187 Printing is based on raw pass-through facilities as it has been used so far.
188 All printer drivers are installed on the desktop and notebook computers.
195 <title>Dissection and Discussion</title>
198 <indexterm><primary>network load factors</primary></indexterm>
199 The example you are building in this chapter is an example of a network design that works,
200 but this does not make it a design that is recommended. As a general rule, there should
201 be at least one Backup Domain Controller per 50 Windows network clients. The principle behind
202 this recommendation is the fact that correct operation of MS Windows clients requires rapid
203 network response to all SMB/CIFS requests. The same rule says that if there are more than
204 50 clients per Domain Controller they are too busy to service requests. Let's put such
205 rules aside and recognize that network load affects the integrity of Domain Controller
206 responsiveness. This network will have 500 clients serviced by one central Domain
207 Controller. This is not a good omen for user satisfaction. You, of course, address this
208 very soon (see next chapter).
212 <title>Technical Issues</title>
215 Stan has talked you into a horrible compromise, but it is addressed. Just make
216 certain that the performance of this network is well validated before going live.
220 Design decisions made in this design include:
225 <indexterm><primary>PDC</primary></indexterm>
226 <indexterm><primary>LDAP</primary></indexterm>
227 <indexterm><primary>identity management</primary></indexterm>
228 A single Primary Domain Controller (PDC) is being implemented. This limitation
229 is based on the choice not to use LDAP. Many network administrators fear using
230 LDAP based on the perceived complexity of implementation and management of an
231 LDAP-based backend for all user identity management as well as to store network
236 <indexterm><primary>BDC</primary></indexterm>
237 <indexterm><primary>machine secret password</primary></indexterm>
238 Because of the refusal to use an LDAP (ldapsam) passdb backend at this time,
239 the only choice that makes sense with 500 users is to use the tdbsam passwd backend.
240 This type of backend is not receptive to replication to Backup Domain Controllers.
241 If the tdbsam <filename>passdb.tdb</filename> file is replicated to Backup Domain
242 Controllers (BDCs) using <command>rsync</command>, there are two potential problems:
243 1) Data that is in memory but not yet written to disk will not be replicated,
244 and 2) Domain Member machines periodically change the secret machine password. When
245 this happens, there is no mechanism to return the changed password to the PDC.
249 All Domain user, group, and machine accounts are managed on the PDC. This makes
250 for a simple mode of operation, but has to be balanced with network performance and
251 integrity of operations considerations.
255 <indexterm><primary>WINS</primary></indexterm>
256 A single central WINS server is being used. The PDC is also the WINS server.
257 Any attempt to operate a routed network without a WINS server while using NetBIOS
258 over TCP/IP protocols does not work unless on each client the name resolution
259 entries for the PDC are added to the <filename>LMHOSTS</filename>. This file is
260 normally located on the Windows XP Professional client in the
261 <filename>C:\WINDOWS\SYSTEM32\ETC\DRIVERS</filename> directory.
265 At this time the Samba WINS database is not capable of being replicated. That is
266 why a single WINS server is being implemented. This should work without a problem.
270 <indexterm><primary>winbindd</primary></indexterm>
271 Backup Domain Controllers make use of <command>winbindd</command> to provide
272 access to Domain security credentials for file system access and object storage.
276 <indexterm><primary>DHCP</primary><secondary>relay</secondary></indexterm>
277 <indexterm><primary>DHCP</primary><secondary>requests</secondary></indexterm>
278 Configuration of Windows XP Professional clients is achieved using DHCP. Each
279 subnet has its own DHCP server. Backup DHCP serving is provided by one
280 alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
281 all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the
282 network directed at the backup DHCP server.
286 All network users are granted the ability to print to any printer that is network
287 attached. All printers are available from each server. Print jobs that are spooled
288 to a printer that is not on the local network segment are automatically routed to
289 the print spooler that is in control of that printer. The specific details of how this
290 might be done is demonstrated for one example only.
294 The network address and sub-netmask chosen provide 1022 usable IP addresses in
295 each subnet. If in the future more addresses are required, it would make sense
296 to add further subnets rather than change addressing.
305 <title>Political Issues</title>
308 This case gets close to the real world. You and I know the right way to implement
309 Domain Control. Politically, we have to navigate a mine field. In this case, the need is to
310 get the PDC rolled out in compliance with expectations and also to be ready to save the day
311 by having the real solution ready before it is needed. That real solution is presented in
320 <title>Implementation</title>
323 The following configuration process begins following installation of Red Hat Linux 9.0 on the
324 three servers shown in the network topology diagram in <link linkend="chap05net"/>. You have
325 selected hardware that is appropriate to the task.
328 <figure id="chap05net">
329 <title>Network Topology &smbmdash; 500 User Network Using tdbsam passdb backend.</title>
331 <imageobject role="latex">
332 <imagedata fileref="guide/images/chap5-net.png" scale="80" scalefit="1"/>
335 <imagedata fileref="guide/images/chap5-net.png" scale="80" scalefit="1"/>
340 <sect2 id="ch5-dnshcp-setup">
341 <title>Installation of DHCP, DNS, and Samba Control Files</title>
344 Carefully install the configuration files into the correct locations as shown in
345 <link linkend="ch5-filelocations"/>. You should validate that the full file path is
350 The abbreviation shown in this table as <constant>{VLN}</constant> means
351 the directory location beginning with <filename>/var/lib/named</filename>.
355 <table id="ch5-filelocations"><title>Domain: <constant>MEGANET</constant>, File Locations for Servers</title>
357 <colspec colname='c1' align="left"/>
358 <colspec colname='c2' align="left"/>
359 <colspec colname='c3' align="center"/>
360 <colspec colname='c4' align="center"/>
361 <colspec colname='c5' align="center"/>
364 <entry align="center" namest='c1' nameend='c2'>File Information</entry>
365 <entry align="center" namest="c3" nameend="c5">Server Name</entry>
368 <entry align="center">Source</entry>
369 <entry align="center">Target Location</entry>
370 <entry align="center">MASSIVE</entry>
371 <entry align="center">BLDG1</entry>
372 <entry align="center">BLDG2</entry>
377 <entry><link linkend="ch5-massivesmb"/></entry>
378 <entry><filename>/etc/samba/smb.conf</filename></entry>
384 <entry><link linkend="ch5-dc-common"/></entry>
385 <entry><filename>/etc/samba/dc-common.conf</filename></entry>
391 <entry><link linkend="ch5-commonsmb"/></entry>
392 <entry><filename>/etc/samba/common.conf</filename></entry>
398 <entry><link linkend="ch5-bldg1-smb"/></entry>
399 <entry><filename>/etc/samba/smb.conf</filename></entry>
405 <entry><link linkend="ch5-bldg2-smb"/></entry>
406 <entry><filename>/etc/samba/smb.conf</filename></entry>
412 <entry><link linkend="ch5-dommem-smb"/></entry>
413 <entry><filename>/etc/samba/dommem.conf</filename></entry>
419 <entry><link linkend="massive-dhcp"/></entry>
420 <entry><filename>/etc/dhcpd.conf</filename></entry>
426 <entry><link linkend="bldg1dhcp"/></entry>
427 <entry><filename>/etc/dhcpd.conf</filename></entry>
433 <entry><link linkend="bldg2dhcp"/></entry>
434 <entry><filename>/etc/dhcpd.conf</filename></entry>
440 <entry><link linkend="massive-nameda"/></entry>
441 <entry><filename>/etc/named.conf (part A)</filename></entry>
447 <entry><link linkend="massive-namedb"/></entry>
448 <entry><filename>/etc/named.conf (part B)</filename></entry>
454 <entry><link linkend="massive-namedc"/></entry>
455 <entry><filename>/etc/named.conf (part C)</filename></entry>
461 <entry><link linkend="abmasbizdns"/></entry>
462 <entry><filename>{VLN}/master/abmas.biz.hosts</filename></entry>
468 <entry><link linkend="abmasusdns"/></entry>
469 <entry><filename>{VLN}/master/abmas.us.hosts</filename></entry>
475 <entry><link linkend="bldg12nameda"/></entry>
476 <entry><filename>/etc/named.conf (part A)</filename></entry>
482 <entry><link linkend="bldg12namedb"/></entry>
483 <entry><filename>/etc/named.conf (part B)</filename></entry>
489 <entry><link linkend="loopback"/></entry>
490 <entry><filename>{VLN}/localhost.zone</filename></entry>
496 <entry><link linkend="dnsloopy"/></entry>
497 <entry><filename>{VLN}/127.0.0.zone</filename></entry>
503 <entry><link linkend="roothint"/></entry>
504 <entry><filename>{VLN}/root.hint</filename></entry>
516 <title>Server Preparation &smbmdash; All Servers</title>
519 The following steps apply to all servers. Follow each step carefully.
524 Using the UNIX/Linux system tools, set the name of the server as shown in the network
525 topology diagram in <link linkend="chap05net"/>. For SUSE Linux products, the tool
526 that permits this is called <command>yast2</command>; for Red Hat Linux products,
527 you can use the <command>netcfg</command> tool.
528 Verify that your hostname is correctly set by running:
530 &rootprompt; uname -n
532 An alternate method to verify the hostname is:
534 &rootprompt; hostname -f
539 <indexterm><primary>/etc/hosts</primary></indexterm><indexterm>
540 <primary>named</primary>
542 Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
543 of all network interfaces that are on the host server. This is necessary so that during
544 startup the system is able to resolve all its own names to the IP address prior to
545 startup of the DNS server. You should check the startup order of your system. If the
546 CUPS print server is started before the DNS server (<command>named</command>), you
547 should also include an entry for the printers in the <filename>/etc/hosts</filename> file.
551 <indexterm><primary>/etc/resolv.conf</primary></indexterm>
552 All DNS name resolution should be handled locally. To ensure that the server is configured
553 correctly to handle this, edit <filename>/etc/resolv.conf</filename> so it has the following
556 search abmas.us abmas.biz
559 This instructs the name resolver function (when configured correctly) to ask the DNS server
560 that is running locally to resolve names to addresses.
565 <indexterm><primary>administrator</primary></indexterm><indexterm>
566 <primary>smbpasswd</primary>
568 Add the <constant>root</constant> user to the password backend as follows:
570 &rootprompt; smbpasswd -a root
571 New SMB password: XXXXXXXX
572 Retype new SMB password: XXXXXXXX
575 The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator.
576 This account is essential in the regular maintenance of your Samba server. It must never be
577 deleted. If for any reason the account is deleted, you may not be able to recreate this account
578 without considerable trouble.
582 <indexterm><primary>username map</primary></indexterm><indexterm>
583 <primary>/etc/samba/smbusers</primary>
585 Create the username map file to permit the <constant>root</constant> account to be called
586 <constant>Administrator</constant> from the Windows network environment. To do this, create
587 the file <filename>/etc/samba/smbusers</filename> with the following contents:
594 # Unix_ID = Windows_ID
597 # root = Administrator
598 # janes = "Jane Smith"
601 # Note: If the name contains a space it must be double quoted.
602 # In the example above the name 'jimbo' will be mapped to Windows
603 # user names 'Jim' and 'Bones' because the space was not quoted.
604 #######################################################################
613 Configure all network attached printers to have a fixed IP address.
617 Create an entry in the DNS database on the server <constant>MASSIVE</constant>
618 in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
619 and in the reverse lookup database for the network segment that the printer is
620 located in. Example configuration files for similar zones were presented in
621 <link linkend="abmasbiz"/> and <link linkend="eth2zone"/>.
625 Follow the instructions in the printer manufacturer's manuals to permit printing
626 to port 9100. Use any other port the manufacturer specifies for direct mode,
627 raw printing. This allows the CUPS spooler to print using raw mode protocols.
628 <indexterm><primary>CUPS</primary></indexterm>
629 <indexterm><primary>raw printing</primary></indexterm>
633 <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
634 Only on the server to which the printer is attached configure the CUPS Print
637 &rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
639 <indexterm><primary>print filter</primary></indexterm>
640 This step creates the necessary print queue to use no assigned print filter. This
641 is ideal for raw printing, i.e., printing without use of filters.
642 The name <parameter>printque</parameter> is the name you have assigned for
643 the particular printer.
647 Print queues may not be enabled at creation. Make certain that the queues
648 you have just created are enabled by executing the following:
650 &rootprompt; /usr/bin/enable <parameter>printque</parameter>
655 Even though your print queue may be enabled, it is still possible that it
656 does not accept print jobs. A print queue services incoming printing
657 requests only when configured to do so. Ensure that your print queue is
658 set to accept incoming jobs by executing the following command:
660 &rootprompt; /usr/bin/accept <parameter>printque</parameter>
665 <indexterm><primary>mime type</primary></indexterm>
666 <indexterm><primary>/etc/mime.convs</primary></indexterm>
667 <indexterm><primary>application/octet-stream</primary></indexterm>
668 Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
670 application/octet-stream application/vnd.cups-raw 0 -
675 <indexterm><primary>/etc/mime.types</primary></indexterm>
676 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
678 application/octet-stream
683 Refer to the CUPS printing manual for instructions regarding how to configure
684 CUPS so that print queues that reside on CUPS servers on remote networks
685 route print jobs to the print server that owns that queue. The default setting
686 on your CUPS server may automatically discover remotely installed printers and
687 may permit this functionality without requiring specific configuration.
691 As part of the rollout program, you need to configure the application's
692 server shares. This can be done once on the central server and may then be
693 replicated using a tool such as <command>rsync</command>. Refer to the man
694 page for <command>rsync</command> for details regarding use. The notes in
695 <link linkend="ch4appscfg"/> may help in your decisions to use an application
702 Logon scripts that are run from a Domain Controller (PDC or BDC) are capable of using semi-intelligent
703 processes to auto-map Windows client drives to an application server that is nearest to the client. This
704 is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
705 as elegantly as you see in the next chapter.
711 <title>Server Specific Preparation</title>
714 There are some steps that apply to particular server functionality only. Each step is critical
715 to correct server operation.
719 <title>Configuration for Server: <constant>MASSIVE</constant></title>
723 <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
724 <indexterm><primary>IP forwarding</primary></indexterm>
725 The host server acts as a router between the two internal network segments as well
726 as for all Internet access. This necessitates that IP forwarding must be enabled. This can be
727 achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
729 echo 1 > /proc/sys/net/ipv4/ip_forward
731 To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute
732 that command manually also. This setting permits the Linux system to act as a router.
736 This server is dual hosted (i.e., has two network interfaces) &smbmdash; one goes to the Internet,
737 and the other to a local network that has a router that is the gateway to the remote networks.
738 You must, therefore, configure the server with route table entries so that it can find machines
739 on the remote networks. You can do this using the appropriate system tools for your Linux
740 server or using static entries that you place in one of the system startup files. It is best
741 to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the
742 best tool to do this is YaST (refer to SUSE Administration Manual); in the case of Red Hat,
743 this is best done using the graphical system configuration tools (see the Red Hat documentation).
744 An example of how this may be done manually is as follows:
746 &rootprompt; route add net 172.16.4.0 netmask 255.255.252.0 gw 172.16.0.128
747 &rootprompt; route add net 172.16.8.0 netmask 255.255.252.0 gw 172.16.0.128
749 If you just execute these commands manually, the route table entries you have created are
750 not persistent across system reboots. You may add these commands directly to the local
751 startup files as follows: (SUSE) <filename>/etc/rc.d/boot.local</filename>, (Red Hat)
752 <filename>/etc/rc.d/init.d/rc.local</filename>.
756 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
757 The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
758 This file controls the operation of the various resolver libraries that are part of the Linux
759 Glibc libraries. Edit this file so that it contains the following entries:
761 hosts: files dns wins
766 <indexterm><primary>initGrps.sh</primary></indexterm>
767 Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
768 <link linkend="ch5-initgrps"/>. Create a file containing this script. You called yours
769 <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed
770 and then execute the script. An example of the execution of this script as well as its
771 validation are shown in Chapter 4, Section 4.3.2, Step 5.
775 <indexterm><primary>/etc/passwd</primary></indexterm>
776 <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
777 <indexterm><primary>smbpasswd</primary></indexterm>
778 For each user who needs to be given a Windows Domain account, make an entry in the
779 <filename>/etc/passwd</filename> file, as well as in the Samba password backend.
780 Use the system tool of your choice to create the UNIX system account and use the Samba
781 <command>smbpasswd</command> to create a Domain user account.
785 <indexterm><primary>useradd</primary></indexterm>
786 <indexterm><primary>adduser</primary></indexterm>
787 <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
788 There are a number of tools for user management under UNIX. Commonly known ones include:
789 <command>useradd, adduser</command>. In addition to these, there is a plethora of custom
790 tools. With the tool of your choice, create a home directory for each user.
794 Using the preferred tool for your UNIX system, add each user to the UNIX groups created
795 previously as necessary. File system access control based on UNIX group membership.
799 Create the directory mount point for the disk sub-system that is to be mounted to provide
800 data storage for company files. In this case, the mount point indicated in the &smb.conf;
801 file is <filename>/data</filename>. Format the file system as required and mount the formatted
802 file system partition using appropriate system tools.
806 <indexterm><primary>file system</primary>
807 <secondary>permissions</secondary></indexterm>
808 Create the top-level file storage directories for data and applications as follows:
810 &rootprompt; mkdir -p /data/{accounts,finsvcs,pidata}
811 &rootprompt; mkdir -p /apps
812 &rootprompt; chown -R root.root /data
813 &rootprompt; chown -R root.root /apps
814 &rootprompt; chown -R bjordan.accounts /data/accounts
815 &rootprompt; chown -R bjordan.finsvcs /data/finsvcs
816 &rootprompt; chown -R bjordan.finsvcs /data/pidata
817 &rootprompt; chmod -R ug+rwxs,o-rwx /data
818 &rootprompt; chmod -R ug+rwx,o+rx-w /apps
820 Each department is responsible for creating its own directory structure within the departmental
821 share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
822 The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
823 The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
824 that provides the application server infrastructure.
828 The &smb.conf; file specifies an infrastructure to support roaming profiles and network
829 logon services. You can now create the file system infrastructure to provide the
830 locations on disk that these services require. Adequate planning is essential
831 since desktop profiles can grow to be quite large. For planning purposes, a minimum of
832 200 Megabytes of storage should be allowed per user for profile storage. The following
833 commands create the directory infrastructure needed:
835 &rootprompt; mkdir -p /var/spool/samba
836 &rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
837 &rootprompt; chown -R root.root /var/spool/samba
838 &rootprompt; chown -R root.root /var/lib/samba
839 &rootprompt; chmod a+rwxt /var/spool/samba
841 For each user account that is created on the system, the following commands should be
844 &rootprompt; mkdir /var/lib/samba/profiles/'username'
845 &rootprompt; chown 'username'.users /var/lib/samba/profiles/'username'
846 &rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
851 Create a logon script. It is important that each line is correctly terminated with
852 a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
853 works if the right tools (<constant>unxi2dos</constant> and <constant>dos2unix</constant>) are installed.
854 First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
855 with the following contents:
857 net time \\massive /set /yes
860 Convert the UNIX file to a DOS file as follows:
862 &rootprompt; dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \
863 > /var/lib/samba/netlogon/scripts/logon.bat
868 There is one preparatory step without which you cannot have a working Samba network
869 environment. You must add an account for each network user. You can do this by executing
870 the following steps for each user:
872 &rootprompt; useradd -m <parameter>username</parameter>
873 &rootprompt; passwd <parameter>username</parameter>
874 Changing password for <parameter>username</parameter>.
875 New password: XXXXXXXX
876 Re-enter new password: XXXXXXXX
878 &rootprompt; smbpasswd -a <parameter>username</parameter>
879 New SMB password: XXXXXXXX
880 Retype new SMB password: XXXXXXXX
881 Added user <parameter>username</parameter>.
883 You do, of course, use a valid user login ID in place of <parameter>username</parameter>.
887 Follow the processes shown in <link linkend="ch5-procstart"/> to start all services.
891 Your server is ready for validation testing. Do not proceed with the steps in
892 <link linkend="ch5-domsvrspec"/> until after the operation of the server has been
893 validated following the same methods as outlined in <link linkend="ch4valid"/>.
900 <sect3 id="ch5-domsvrspec">
901 <title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
905 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
906 The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
907 This file controls the operation of the various resolver libraries that are part of the Linux
908 Glibc libraries. Edit this file so that it contains the following entries:
910 passwd: files winbind
912 hosts: files dns wins
917 Follow the steps outlined in <link linkend="ch5-procstart"/> to start all services. Do not
918 start Samba at this time. Samba is controlled by the process called <command>smb</command>.
921 <step><para><indexterm>
922 <primary>net</primary>
923 <secondary>rpc</secondary>
924 <tertiary>join</tertiary>
926 At this time, you must now attempt to join the Domain Member servers to the Domain. The following
927 instructions should be executed to effect this:
929 &rootprompt; net rpc join
933 <step><para><indexterm>
934 <primary>service</primary>
935 <secondary>smb</secondary>
936 <tertiary>start</tertiary>
938 You now start the Samba services by executing:
940 &rootprompt; service smb start
945 Your server is ready for validation testing. Do not proceed with the steps in
946 <link linkend="ch5-domsvrspec"/> until after the operation of the server has been
947 validated following the same methods as outlined in <link linkend="ch4valid"/>.
957 <smbconfexample id="ch5-massivesmb">
958 <title>Server: MASSIVE (PDC), File: <filename>/etc/samba/smb.conf</filename></title>
959 <smbconfcomment>Global parameters</smbconfcomment>
960 <smbconfsection>[global]</smbconfsection>
961 <smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
962 <smbconfoption><name>netbios name</name><value>MASSIVE</value></smbconfoption>
963 <smbconfoption><name>interfaces</name><value>eth1, lo</value></smbconfoption>
964 <smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
965 <smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
966 <smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
967 <smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
968 <smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
969 <smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
970 <smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
971 <smbconfoption><name>add machine script</name><value>/usr/sbin/useradd -s /bin/false -d /dev/null %u</value></smbconfoption>
972 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
973 <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
974 <smbconfoption><name>include</name><value>/etc/samba/dc-common.conf</value></smbconfoption>
976 <smbconfsection>[IPC$]</smbconfsection>
977 <smbconfoption><name>path</name><value>/tmp</value></smbconfoption>
978 <smbconfoption><name>hosts allow</name><value>172.16.0.0/16, 127.0.0.1</value></smbconfoption>
979 <smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
981 <smbconfsection>[accounts]</smbconfsection>
982 <smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
983 <smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
984 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
986 <smbconfsection>[service]</smbconfsection>
987 <smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
988 <smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
989 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
991 <smbconfsection>[pidata]</smbconfsection>
992 <smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
993 <smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
994 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
998 <smbconfexample id="ch5-dc-common">
999 <title>Server: MASSIVE (PDC), File: <filename>/etc/samba/dc-common.conf</filename></title>
1000 <smbconfcomment>Global parameters</smbconfcomment>
1001 <smbconfsection>[global]</smbconfsection>
1002 <smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
1003 <smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
1004 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
1005 <smbconfoption><name>logon path</name><value>\%L\profiles\%U</value></smbconfoption>
1006 <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
1007 <smbconfoption><name>logon home</name><value>\%L\%U</value></smbconfoption>
1008 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
1009 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1010 <smbconfoption><name>include</name><value>/etc/samba/common.conf</value></smbconfoption>
1012 <smbconfsection>[homes]</smbconfsection>
1013 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
1014 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
1015 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
1016 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
1018 <smbconfsection>[netlogon]</smbconfsection>
1019 <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
1020 <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
1021 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
1022 <smbconfoption><name>locking</name><value>No</value></smbconfoption>
1024 <smbconfsection>[profiles]</smbconfsection>
1025 <smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
1026 <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
1027 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
1028 <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
1032 <smbconfexample id="ch5-commonsmb">
1033 <title>Common Samba Configuration File: <filename>/etc/samba/common.conf</filename></title>
1034 <smbconfsection>[global]</smbconfsection>
1035 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
1036 <smbconfoption><name>log level</name><value>1</value></smbconfoption>
1037 <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
1038 <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
1039 <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
1040 <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
1041 <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
1042 <smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
1043 <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
1044 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
1045 <smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
1046 <smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
1047 <smbconfoption><name>utmp</name><value>Yes</value></smbconfoption>
1048 <smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
1049 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
1050 <smbconfoption><name>veto files</name><value>/*.eml/*.nws/*.{*}/</value></smbconfoption>
1051 <smbconfoption><name>veto oplock files</name><value>/*.doc/*.xls/*.mdb/</value></smbconfoption>
1052 <smbconfoption><name>include</name><value> </value></smbconfoption>
1054 <smbconfcomment>Share and Service Definitions are common to all servers</smbconfcomment>
1055 <smbconfsection>[printers]</smbconfsection>
1056 <smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
1057 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
1058 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
1059 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
1060 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
1061 <smbconfoption><name>default devmode</name><value>Yes</value></smbconfoption>
1062 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
1064 <smbconfsection>[apps]</smbconfsection>
1065 <smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
1066 <smbconfoption><name>path</name><value>/apps</value></smbconfoption>
1067 <smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
1068 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
1069 <smbconfoption><name>include</name><value></value></smbconfoption>
1073 <smbconfexample id="ch5-bldg1-smb">
1074 <title>Server: BLDG1 (Member), File: smb.conf</title>
1075 <smbconfcomment>Global parameters</smbconfcomment>
1076 <smbconfsection>[global]</smbconfsection>
1077 <smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
1078 <smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption>
1079 <smbconfoption><name>include</name><value>/etc/samba/dom-mem.conf</value></smbconfoption>
1083 <smbconfexample id="ch5-bldg2-smb">
1084 <title>Server: BLDG2 (Member), File: smb.conf</title>
1085 <smbconfcomment>Global parameters</smbconfcomment>
1086 <smbconfsection>[global]</smbconfsection>
1087 <smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
1088 <smbconfoption><name>netbios name</name><value>BLDG2</value></smbconfoption>
1089 <smbconfoption><name>include</name><value>/etc/samba/dom-mem.conf</value></smbconfoption>
1093 <smbconfexample id="ch5-dommem-smb">
1094 <title>Common Domain Member Include File: dom-mem.conf</title>
1095 <smbconfcomment>Global parameters</smbconfcomment>
1096 <smbconfsection>[global]</smbconfsection>
1097 <smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
1098 <smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
1099 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1100 <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
1101 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
1102 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
1103 <smbconfoption><name>include</name><value>/etc/samba/common.conf</value></smbconfoption>
1107 <example id="massive-dhcp">
1108 <title>Server: MASSIVE, File: dhcpd.conf</title>
1110 # Abmas Accounting Inc. - Chapter 5/MASSIVE
1112 default-lease-time 86400;
1113 max-lease-time 172800;
1114 default-lease-time 86400;
1116 ddns-update-style ad-hoc;
1118 option ntp-servers 172.16.0.1;
1119 option domain-name "abmas.biz";
1120 option domain-name-servers 172.16.0.1, 172.16.4.1;
1121 option netbios-name-servers 172.16.0.1;
1122 option netbios-node-type 8;
1124 subnet 172.16.1.0 netmask 255.255.252.0 {
1125 range dynamic-bootp 172.16.1.0 172.16.2.255;
1126 option subnet-mask 255.255.252.0;
1127 option routers 172.16.0.1, 172.16.0.128;
1128 allow unknown-clients;
1130 subnet 172.16.4.0 netmask 255.255.252.0 {
1131 range dynamic-bootp 172.16.7.0 172.16.7.254;
1132 option subnet-mask 255.255.252.0;
1133 option routers 172.16.4.128;
1134 allow unknown-clients;
1136 subnet 172.16.8.0 netmask 255.255.252.0 {
1137 range dynamic-bootp 172.16.11.0 172.16.11.254;
1138 option subnet-mask 255.255.252.0;
1139 option routers 172.16.4.128;
1140 allow unknown-clients;
1142 subnet 127.0.0.0 netmask 255.0.0.0 {
1145 subnet 123.45.67.64 netmask 255.255.255.252 {
1151 <example id="bldg1dhcp">
1152 <title>Server: BLDG1, File: dhcpd.conf</title>
1154 # Abmas Accounting Inc. - Chapter 5/BLDG1
1156 default-lease-time 86400;
1157 max-lease-time 172800;
1158 default-lease-time 86400;
1160 ddns-update-style ad-hoc;
1162 option ntp-servers 172.16.0.1;
1163 option domain-name "abmas.biz";
1164 option domain-name-servers 172.16.0.1, 172.16.4.1;
1165 option netbios-name-servers 172.16.0.1;
1166 option netbios-node-type 8;
1168 subnet 172.16.1.0 netmask 255.255.252.0 {
1169 range dynamic-bootp 172.16.3.0 172.16.2.254;
1170 option subnet-mask 255.255.252.0;
1171 option routers 172.16.0.1, 172.16.0.128;
1172 allow unknown-clients;
1174 subnet 172.16.4.0 netmask 255.255.252.0 {
1175 range dynamic-bootp 172.16.5.0 172.16.6.255;
1176 option subnet-mask 255.255.252.0;
1177 option routers 172.16.4.128;
1178 allow unknown-clients;
1180 subnet 127.0.0.0 netmask 255.0.0.0 {
1186 <example id="bldg2dhcp">
1187 <title>Server: BLDG2, File: dhcpd.conf</title>
1189 # Abmas Accounting Inc. - Chapter 5/BLDG1
1191 default-lease-time 86400;
1192 max-lease-time 172800;
1193 default-lease-time 86400;
1195 ddns-update-style ad-hoc;
1197 option ntp-servers 172.16.0.1;
1198 option domain-name "abmas.biz";
1199 option domain-name-servers 172.16.0.1, 172.16.4.1;
1200 option netbios-name-servers 172.16.0.1;
1201 option netbios-node-type 8;
1203 subnet 172.16.8.0 netmask 255.255.252.0 {
1204 range dynamic-bootp 172.16.9.0 172.16.10.255;
1205 option subnet-mask 255.255.252.0;
1206 option routers 172.16.8.128;
1207 allow unknown-clients;
1209 subnet 127.0.0.0 netmask 255.0.0.0 {
1215 <example id="massive-nameda">
1216 <title>Server: MASSIVE, File: named.conf, Part: A</title>
1219 # Abmas Biz DNS Control File
1221 # Date: November 15, 2003
1224 directory "/var/lib/named";
1234 multiple-cnames yes;
1243 zone "localhost" in {
1245 file "localhost.zone";
1248 zone "0.0.127.in-addr.arpa" in {
1250 file "127.0.0.zone";
1267 <example id="massive-namedb">
1268 <title>Server: MASSIVE, File: named.conf, Part: B</title>
1272 file "/var/lib/named/master/abmas.biz.hosts";
1286 file "/var/lib/named/master/abmas.us.hosts";
1298 <example id="massive-namedc">
1299 <title>Server: MASSIVE, File: named.conf, Part: C</title>
1301 zone "0.16.172.in-addr.arpa" {
1303 file "/var/lib/named/master/172.16.0.0.rev";
1315 zone "4.16.172.in-addr.arpa" {
1317 file "/var/lib/named/master/172.16.4.0.rev";
1329 zone "8.16.172.in-addr.arpa" {
1331 file "/var/lib/named/master/172.16.8.0.rev";
1346 <example id="abmasbizdns">
1347 <title>Forward Zone File: abmas.biz.hosts</title>
1350 $TTL 38400 ; 10 hours 40 minutes
1351 abmas.biz IN SOA massive.abmas.biz. root.abmas.biz. (
1353 10800 ; refresh (3 hours)
1354 3600 ; retry (1 hour)
1355 604800 ; expire (1 week)
1356 38400 ; minimum (10 hours 40 minutes)
1358 NS massive.abmas.biz.
1361 MX 10 massive.abmas.biz.
1363 massive A 172.16.0.1
1364 router0 A 172.16.0.128
1366 router4 A 172.16.4.128
1368 router8 A 172.16.8.128
1373 <example id="abmasusdns">
1374 <title>Forward Zone File: abmas.biz.hosts</title>
1377 $TTL 38400 ; 10 hours 40 minutes
1378 abmas.us IN SOA server.abmas.us. root.abmas.us. (
1380 10800 ; refresh (3 hours)
1381 3600 ; retry (1 hour)
1382 604800 ; expire (1 week)
1383 38400 ; minimum (10 hours 40 minutes)
1387 MX 10 mail.abmas.us.
1389 server A 123.45.67.66
1399 <example id="bldg12nameda">
1400 <title>Servers: BLDG1/BLDG2, File: named.conf, Part: A</title>
1403 # Abmas Biz DNS Control File
1405 # Date: November 15, 2003
1408 directory "/var/lib/named";
1417 multiple-cnames yes;
1426 zone "localhost" in {
1428 file "localhost.zone";
1431 zone "0.0.127.in-addr.arpa" in {
1433 file "127.0.0.zone";
1450 <example id="bldg12namedb">
1451 <title>Servers: BLDG1/BLDG2, File: named.conf, Part: B</title>
1455 file "/var/lib/named/slave/abmas.biz.hosts";
1464 zone "0.16.172.in-addr.arpa" {
1466 file "/var/lib/slave/master/172.16.0.0.rev";
1475 zone "4.16.172.in-addr.arpa" {
1477 file "/var/lib/named/slave/172.16.4.0.rev";
1486 zone "8.16.172.in-addr.arpa" {
1488 file "/var/lib/named/slave/172.16.8.0.rev";
1501 <example id="ch5-initgrps">
1502 <title>Initialize Groups Script, File: /etc/samba/initGrps.sh</title>
1506 # Create UNIX groups
1511 # Map Windows Domain Groups to UNIX groups
1512 net groupmap modify ntgroup="Domain Admins" unixgroup=root
1513 net groupmap modify ntgroup="Domain Users" unixgroup=users
1514 net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
1516 # Add Functional Domain Groups
1517 net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
1518 net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
1519 net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
1523 <!-- End of Examples -->
1525 <sect2 id="ch5-procstart">
1526 <title>Process Startup Configuration</title>
1529 <indexterm><primary>chkconfig</primary></indexterm><indexterm>
1530 <primary>daemon control</primary>
1532 There are two essential steps to process startup configuration. A process
1533 must be configured so that it is automatically restarted each time the server
1534 is rebooted. This step involves use of the <command>chkconfig</command> tool that
1535 created appropriate symbolic links from the master daemon control file that is
1536 located in the <filename>/etc/rc.d</filename> directory to the <filename>/etc/rc'x'.d</filename>
1537 directories. Links are created so that when the system run-level is changed, the
1538 necessary start or kill script is run.
1542 <indexterm><primary>/etc/xinetd.d</primary></indexterm>
1543 In the event that a service is provided not as a daemon but via the inter-networking
1544 super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
1545 tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
1546 and sends a hang-up (HUP) signal to the super daemon, thus forcing it to
1547 re-read its control files.
1551 Last, each service must be started to permit system validation to proceed.
1556 Use the standard system tool to configure each service to restart
1557 automatically at every system reboot. For example:
1558 <indexterm><primary>chkconfig</primary></indexterm>
1560 &rootprompt; chkconfig dhpc on
1561 &rootprompt; chkconfig named on
1562 &rootprompt; chkconfig cups on
1563 &rootprompt; chkconfig smb on
1564 &rootprompt; chkconfig swat on
1569 <indexterm><primary>starting dhcpd</primary></indexterm>
1570 <indexterm><primary>starting samba</primary></indexterm>
1571 <indexterm><primary>starting CUPS</primary></indexterm>
1572 Now start each service to permit the system to be validated.
1573 Execute each of the following in the sequence shown:
1576 &rootprompt; service dhcp restart
1577 &rootprompt; service named restart
1578 &rootprompt; service cups restart
1579 &rootprompt; service smb restart
1580 &rootprompt; service swat restart
1587 <sect2 id="ch5wincfg">
1588 <title>Windows Client Configuration</title>
1591 The procedure for desktop client configuration for the network in this chapter is similar to
1592 that used for the previous one. There are a few subtle changes that should be noted.
1597 Install MS Windows XP Professional. During installation, configure the client to use DHCP for
1598 TCP/IP protocol configuration.
1599 <indexterm><primary>WINS</primary></indexterm>
1600 <indexterm><primary>DHCP</primary></indexterm>
1601 DHCP configures all Windows clients to use the WINS Server address that has been defined
1602 for the local subnet.
1606 Join the Windows Domain <constant>MEGANET</constant>. Use the Domain Administrator
1607 user name <constant>root</constant> and the SMB password you assigned to this account.
1608 A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
1609 a Windows Domain is given in <link linkend="domjoin"/>.
1610 Reboot the machine as prompted and then logon using the Domain Administrator account
1611 (<constant>root</constant>).
1615 Verify that the server called <constant>MEGANET</constant> is visible in <guimenu>My Network Places</guimenu>,
1616 that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
1617 <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
1618 and that it is possible to open each share to reveal its contents.
1622 Create a drive mapping to the <constant>apps</constant> share on a server. At this time, it does
1623 not particularly matter which application server is used. It is necessary to manually
1624 set a persistent drive mapping to the local applications server on each workstation at the time of
1625 installation. This step is avoided by the improvements to the design of the network configuration
1626 in the next chapter.
1630 Perform an administrative installation of each application to be used. Select the options
1631 that you wish to use. Of course, you choose to run applications over the network, correct?
1635 Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat,
1636 NTP-based time synchronization software, drivers for specific local devices such as fingerprint
1637 scanners, and the like. Probably the most significant application to be locally installed
1638 is anti-virus software.
1642 Now install all four printers onto the staging system. The printers you install
1643 include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you
1644 also configure use of the identical printers that are located in the financial services department.
1645 Install printers on each machine using the following steps:
1650 <guimenu>Start</guimenu>
1651 <guimenuitem>Settings</guimenuitem>
1652 <guimenuitem>Printers</guimenuitem>
1653 <guiicon>Add Printer</guiicon>
1654 <guibutton>Next</guibutton>
1655 </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
1656 Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
1660 Click <guibutton>Next</guibutton>. In the panel labeled
1661 <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
1662 In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
1663 <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
1667 In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
1668 <constant>FILE:</constant>. Accept the default printer name by clicking
1669 <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
1670 test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
1671 <guibutton>Finish</guibutton>.
1675 You may be prompted for the name of a file to print to. If so, close the
1676 dialog panel. Right-click <menuchoice>
1677 <guiicon>HP LaserJet 6</guiicon>
1678 <guimenuitem>Properties</guimenuitem>
1679 <guimenusub>Details (Tab)</guimenusub>
1680 <guimenubutton>Add Port</guimenubutton>
1685 In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
1686 the print queue on the Samba server as follows: <constant>\\BLDG1\hplj6a</constant>.
1688 <guibutton>OK</guibutton>
1689 <guibutton>OK</guibutton>
1690 </menuchoice> to complete the installation.
1694 Repeat the printer installation steps above for both HP LaserJet 6 printers
1695 as well as for both QMS Magicolor laser printers. Remember to install all
1696 printers, but to set the destination port for each to the server on the
1697 local network. For example, a workstation in the Accounting group should
1698 have all printers directed at the server <constant>BLDG1</constant>.
1699 You may elect to point all desktop workstation configurations at the
1700 server called <constant>MASSIVE</constant> and then in your deployment
1701 procedures, it would be wise to document the need to redirect the printer
1702 configuration (as well as the applications server drive mapping) to the
1703 server on the network segment on which the workstation is to be located.
1709 When you are satisfied that the staging systems are complete, use the appropriate procedure to
1710 remove the client from the domain. Reboot the system, and then log on as the local administrator
1711 and clean out all temporary files stored on the system. Before shutting down, use the disk
1712 defragmentation tool so that the file system is in an optimal condition before replication.
1716 Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the
1717 machine to a network share on the server.
1721 You may now replicate the image using the appropriate Norton Ghost procedure to the target
1722 machines. Make sure to use the procedure that ensures each machine has a unique
1723 Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
1727 Log onto the machine as the local Administrator (the only option), and join the machine to
1728 the Domain following the procedure set out in <link linkend="domjoin"/>. You must now set the
1729 persistent drive mapping to the applications server that the user is to use. The system is now
1730 ready for the user to logon, providing you have created a network logon account for that
1735 Instruct all users to log onto the workstation using their assigned user name and password.
1742 <title>Key Points Learned</title>
1745 The network you have just deployed has been a valuable exercise in forced constraint.
1746 You have deployed a network that works well, although you may soon start to see
1747 performance problems, at which time the modifications demonstrated in the following
1748 chapter bring the network to life. The following key learning points were experienced:
1753 The power of using &smb.conf; include files
1757 Use of a single PDC over a routed network
1761 Joining a Samba-3 Domain Member server to a Samba-3 Domain
1765 Configuration of winbind to use Domain Users and Groups for Samba access
1766 to resources on the Domain Member servers
1770 The introduction of roaming profiles
1780 <title>Questions and Answers</title>
1785 <qandaset defaultlabel="chap01qa" type="number">
1790 The example &smb.conf; files in this chapter make use of the <parameter>include</parameter> facility.
1791 How may I get to see what the actual working &smb.conf; settings are?
1798 You may readily see the net compound effect of the included files by running:
1800 &rootprompt; testparm -s | less
1811 Why does the include file <filename>common.conf</filename> have an empty include statement?
1818 The use of the empty include statement nullifies further includes. For example, let's say you
1819 desire to have just an smb.conf file that is built from the array of include files of which the
1820 master control file is called <filename>master.conf</filename>. The following command
1821 produces a compound &smb.conf; file.
1823 &rootprompt; testparm -s /etc/samba/master.conf > /etc/samba/smb.conf
1825 If the include parameter was not in the common.conf file, the final &smb.conf; file leaves
1826 the include in place, even though the file it points to has already been included. This is a bug
1827 that will be fixed at a future date.
1837 I accept that the simplest configuration necessary to do the job is the best. The use of <parameter>tdbsam</parameter>
1838 passdb backend is much simpler than having to manage an LDAP-based <parameter>ldapsam</parameter> passdb backend.
1839 I tried using <command>rsync</command> to replicate the <filename>passdb.tdb</filename>, and it seems to work fine!
1840 So what is the problem?
1847 Replication of the <parameter>tdbsam</parameter> database file can result in loss of currency in its
1848 contents between the PDC and BDCs. The most notable symptom is that workstations may not be able
1849 to log onto the network following a reboot and may have to re-join the Domain to recover network
1860 You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
1867 No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server
1868 offers an IP address lease, but it is the client that determines which offer is accepted, no matter how many
1869 offers are made. Under normal operation, the client accepts the first offer it receives.
1873 The only exception to this rule is when the client makes a directed request from a specific DHCP server
1874 for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash.
1884 How does the Windows client find the PDC?
1891 The Windows client obtains the WINS server address from the DHCP lease information. It also
1892 obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast)
1893 to register itself with the WINS server and to obtain enumeration of vital network information to
1894 enable it to operate successfully.
1904 Why did you enable IP forwarding (routing) only on the server called <constant>MASSIVE</constant>?
1911 The server called <constant>MASSIVE</constant> is acting as a router to the Internet. No other server
1912 (BLDG1 or BLDG2) has any need for IP forwarding since they are attached only to their own network.
1913 Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network
1914 segments to the router that is its gateway to them.
1924 You did nothing special to implement roaming profiles. Why?
1931 Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional
1932 clients is to use roaming profiles.
1942 On the Domain Member computers, you configured winbind in the <filename>/etc/nsswitch.conf</filename> file.
1943 You did not configure any PAM settings. Is this an omission?
1950 PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only
1951 marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the Domain
1952 Member servers using Windows networking user names and passwords, it is necessary to configure PAM
1953 to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name
1954 service switcher (NSS).
1964 You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
1971 Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed
1972 in <emphasis>TOSHARG</emphasis>, where it has a full chapter dedicated to the subject. While we are on the
1973 subject, it should be noted that you should definitely not use SWAT on any system that makes use
1974 of &smb.conf; <parameter>include</parameter> files because SWAT optimizes them out into an aggregated
1975 file but leaves in place a broken reference to the top layer include file. SWAT was not designed to
1976 handle this functionality gracefully.
1986 The Domain Controller has an auto-shutdown script. Isn't that dangerous?
1993 Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though.